Tech Support Forum - View Single Post

Alvine · 11-19-2008, 06:48 PM

ComboFix Log:

ComboFix 08-11-18.A2 - Admin 2008-11-19 19:36:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1056 [GMT -6:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\setup.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-17 19:41 . 2008-11-19 18:55 250 --a------ c:\windows\gmer.ini
2008-11-17 17:41 . 2008-11-17 17:41 <DIR> d-------- c:\program files\Trend Micro
2008-11-16 23:09 . 2008-11-19 19:33 100,864 --a------ c:\windows\avguard.exe
2008-11-16 22:20 . 2008-11-19 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2008-11-16 18:24 . 2008-11-16 18:24 <DIR> d-------- c:\program files\Alwil Software
2008-11-16 18:24 . 2003-03-18 16:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-11-16 18:09 . 2008-11-16 22:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-11-16 16:59 . 2008-11-16 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-16 16:14 . 2008-11-16 16:41 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-16 15:55 . 2008-11-16 15:55 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-11-12 20:19 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 20:19 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 20:13 . 2008-11-10 21:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-06 22:58 . 2008-11-16 15:25 34 --a------ c:\windows\1.ini
2008-11-06 22:50 . 2008-11-06 22:50 237,568 --a------ c:\windows\system32\wowformf344_716.dll
2008-11-06 22:50 . 2008-11-06 22:50 20 --a------ c:\windows\syscheck
2008-10-23 20:15 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 23:58 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-16 22:42 --------- d-----w c:\program files\Java
2008-11-07 04:52 4,224 ----a-w c:\windows\system32\drivers\beep.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 00:37 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-10-16 00:35 --------- d-----w c:\program files\Sony
2008-10-06 04:51 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-06 04:33 --------- d-----w c:\documents and settings\Admin\Application Data\Sony Corporation
2008-10-06 04:29 --------- d-----w c:\documents and settings\Admin\Application Data\Drag'n Drop CD+DVD
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-07-01 00:51 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008063020080701\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-13 50176]
"sHotKey"="c:\program files\SONY\sHotKey\sHotKey.exe" [2003-08-22 45056]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 135168]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 c:\windows\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"vidc.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-16 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-16 20560]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2007-11-17 86098]
R2 wowsystemcode;Remote TCP/IP;c:\windows\System32\svchost.exe -k netsvcs [2004-03-31 14336]
S2 RPCH;Remote Procedure Call (HPM);c:\program files\NetMeeting\nmwb.exe []
S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\NetMeeting\Winlog.exe [2008-11-06 456192]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wowsystemcode

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\2w3so2pw.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJPI142_01.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPOJI610.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 19:37:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-19 19:38:09
ComboFix-quarantined-files.txt 2008-11-20 01:37:54

Pre-Run: 128,479,105,024 bytes free
Post-Run: 128,884,514,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn

144 --- E O F --- 2008-11-13 09:02:06

11-19-2008, 06:48 PM	#6 (permalink)
Alvine Registered User Join Date: Nov 2008 Posts: 10 OS: XP MediaCtrEd v2002 sp3	Re: Help: C:\Windows\Avguard.exe ComboFix Log: ComboFix 08-11-18.A2 - Admin 2008-11-19 19:36:10.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1056 [GMT -6:00] Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\setup.exe . ((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 ))))))))))))))))))))))))))))))) . 2008-11-17 19:41 . 2008-11-19 18:55 250 --a------ c:\windows\gmer.ini 2008-11-17 17:41 . 2008-11-17 17:41 <DIR> d-------- c:\program files\Trend Micro 2008-11-16 23:09 . 2008-11-19 19:33 100,864 --a------ c:\windows\avguard.exe 2008-11-16 22:20 . 2008-11-19 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI 2008-11-16 18:24 . 2008-11-16 18:24 <DIR> d-------- c:\program files\Alwil Software 2008-11-16 18:24 . 2003-03-18 16:20 1,060,864 --a------ c:\windows\system32\MFC71.dll 2008-11-16 18:09 . 2008-11-16 22:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan 2008-11-16 16:59 . 2008-11-16 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-16 16:14 . 2008-11-16 16:41 410,976 --a------ c:\windows\system32\deploytk.dll 2008-11-16 15:55 . 2008-11-16 15:55 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185} 2008-11-12 20:19 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-12 20:19 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-10 20:13 . 2008-11-10 21:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-11-06 22:58 . 2008-11-16 15:25 34 --a------ c:\windows\1.ini 2008-11-06 22:50 . 2008-11-06 22:50 237,568 --a------ c:\windows\system32\wowformf344_716.dll 2008-11-06 22:50 . 2008-11-06 22:50 20 --a------ c:\windows\syscheck 2008-10-23 20:15 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-16 23:58 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-16 22:42 --------- d-----w c:\program files\Java 2008-11-07 04:52 4,224 ----a-w c:\windows\system32\drivers\beep.sys 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-16 00:37 717,296 ----a-w c:\windows\system32\drivers\sptd.sys 2008-10-16 00:35 --------- d-----w c:\program files\Sony 2008-10-06 04:51 107,888 ----a-w c:\windows\system32\CmdLineExt.dll 2008-10-06 04:33 --------- d-----w c:\documents and settings\Admin\Application Data\Sony Corporation 2008-10-06 04:29 --------- d-----w c:\documents and settings\Admin\Application Data\Drag'n Drop CD+DVD 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll 2008-07-01 00:51 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008063020080701\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432] "ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-13 50176] "sHotKey"="c:\program files\SONY\sHotKey\sHotKey.exe" [2003-08-22 45056] "VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 135168] "ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960] "VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008] "AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 c:\windows\AGRSMMSG.exe] "nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll "vidc.X264"= x264vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Media Player\\wmplayer.exe"= "c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-16 78416] R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-16 20560] R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2007-11-17 86098] R2 wowsystemcode;Remote TCP/IP;c:\windows\System32\svchost.exe -k netsvcs [2004-03-31 14336] S2 RPCH;Remote Procedure Call (HPM);c:\program files\NetMeeting\nmwb.exe [] S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\NetMeeting\Winlog.exe [2008-11-06 456192] S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs wowsystemcode Newly Created Service - PROCEXP90 . . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\2w3so2pw.default\ FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava11.dll FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava12.dll FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava13.dll FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava14.dll FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJava32.dll FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPJPI142_01.dll FF -: plugin - c:\program files\Java\j2re1.4.2_01\bin\NPOJI610.dll FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-19 19:37:17 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-11-19 19:38:09 ComboFix-quarantined-files.txt 2008-11-20 01:37:54 Pre-Run: 128,479,105,024 bytes free Post-Run: 128,884,514,816 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn 144 --- E O F --- 2008-11-13 09:02:06